Still, if we're about to encumber $825 Billion of my children's funds, I thought it would be nice to see what Cyber, CyberCrime, and CyberSecurity Goodies might be waiting under the Christmas Tree.

For starters, we have the "Wireless and Broadband Deployment Grant Programs", established in section 6002 of division B of this Act, which will receive $2,825,000,000, of which $1,000,000,000 shall be for Wireless Deployment Grants and $1,825,000,000 shall be for Broadband Deployment Grants. I'd love to see the project plan and budget spreadsheets that came out to that nice round $1 Billion. (So, how much do we need to provide wireless access for everyone? Hmmm...when we add it all up it comes up to exactly $1 Billion. How convenient!)

Other things under Commerce Justice and Science that touch on technology:

Commerce

$650,000,000 for the Digital-to-Analog Converter Box Program

$100,000,000 for the National Institute of Standards and Technology for Scientific and Technical Research and Services.

$100,000,000 for "Industrial Technology Services", of which $30,000,000 shall be for Hollings Manufacturing Partnership.

$300,000,000 for "Construction of Research Facilities

$400,000,000 for the National Oceanic and Atmospheric Administration "for habitat restoration and mitigation activities"

Social Security Administration

Testing of Health Information Technology

Not much analysis here today, just thought these were some aspects of the Stimulus package that might be of interest to the readers here.

Oh - One other Cyber thing - throughout the bill, there is a requirement to document how funds are used by giving updates to the Internet website, "recovery.gov". I have to say that's a nice touch in the first legislation of the year -- here is the website where you MUST INFORM THE AMERICAN PEOPLE.

Monday, January 19, 2009

Its been quite a while since we've had a true run-away worm on the Internet, but if the claims of F-Secure are accurate, we've certainly got one on our hands now. At the end of this article are a list of the domain names ACTUALLY USED by the worm on January 13-16. The headlines have been ticking the number of infected machines forward for five days now, all based on F-Secure's successful monitoring of the worm via calculated domain names:

The source for nearly every one of the thousands of media pieces about this worm has been F-Secure. In Friday's blog, they answered the many challenges about their methodology that they have received in their article Calculating the Size of the Downadup Outbreak. Briefly, each worm-infected computer has the ability to calculate a seemingly random domain name where it can receive new updates of the malware. There are as many as 250 possible domain names each day being calculated by the worm. As long as ANY of those domains are still live, the worm will be able to update itself to perform new functions. F-Secure has registered some of these domain names itself, and counts the number of infected computers which contact the domains it controls looking for an update. Each of the infected computers will show its IP address, as well as the number of computers which it claims to have infected itself. In a single day as many as 350,000 unique computers hit the domains controlled by F-Secure. Adding up the number of computers each of these computers claims to have infected -- and some are claiming more than 100 infections each -- is how F-Secure reaches its estimate, which they are calling conservative, knowing that many of the computers are choosing domain names other than their own with which to check in for an update.

The underlying vulnerability used to spread the Conficker worm was addressed by Microsoft with the patch MS08-067 back on October 23, 2008, the malware has only recently started a true run-away spread.

Malware researchers report that the vast majority of the infected computers are on corporate networks, not home computers. There are two reasons for this:

As counter-intuitive as this sounds, many corporate networks have disabled the "automatic patching" that many home users have set as their default machine behavior. Because of a need for greater testing in corporate environments, many corporations believe it is acceptable to delay weeks or even months before applying recommended security patches from vendors. Any IT organization that willingly chose NOT to install this patch, after it was issued as a rare "emergency out of cycle patch" seriously needs to investigate whether their security staff needs training in Risk Management. HINT: If Microsoft breaks its Second Tuesday rule to issue a patch, they have performed the risk formla (Risk = Threats x Vulnerabilities x Value of Assets) and determined the Risk Is Very High!

Secondly, this is because the worm scans for a direct connection to the computer, rather than relying on human interaction. Most firewalls will actually block the worm, so the best way of catching it is to have an infected computer ON THE SAME SIDE OF THE FIREWALL as your machine. Because the other primary infection vector is an infected USB drive, employees who shuttle data back and forth to the house on a USB drive are often the Patient Zero for a corporate network outbreak. Once the worm arrives into an organization on an infected thumb drive, if the organization has not patched their machines, EVERY MACHINE IN THE CORPORATION is now an open target.

Because the worm can also spread by learning or guessing the Administrative password on network drives, organization that allow administrators to connect to every workstation machine on the network using the same administrative password share are especially vulnerable. As soon as the worm either guesses or learns via observation the Administrator password, every machine on the network can execute the worm code EVEN IF IT IS PATCHED! The Patch prevents the machine from being hacked via the Windows Server RPC Vulnerability. It does not prevent an Administrator from logging in to the machine and executing code, which is what the worm does if it correctly attempts a password. The Worst Case Scenario? A Domain Administrator visits an infected machine to try to disinfect it, sits down at the keyboard and logs in using his Domain Administrator password. As soon as that occurs, every machine on the network can be quickly compromised.

Computerworld's Gregg Keizer reported on January 15th that 1 in 3 Windows PCs remained vulnerable.

The primary means for the virus to restart itself on an infected machine is the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

That key contains many critical Network Services which should be allowed to execute. If infected, the last entry on the list will be a key that was named with a random name generator. The example in Microsoft's article is "axyczbfsetg", but yours will be something different. There are many more steps to manual removal which can be found in the Microsoft support document above (KB 962007).

F-Secure has been posting lists of domain names which are being calculated by DownAdUp, their most recent list, for domains which would have been used over the weekend, contained exactly 1,000 domain names. 250 each for Jan 13, 14, 15, and 16. Rather than list all 1,000, I took the approach of running a WHOIS against each of the 1,000 domains on their list, and recording which ones were actually registered. So, here are the domains which ACTUALLY HAVE BEEN REGISTERED, out of the list of 1,000 potential names.

In all there were 57 domain names which had been registered out of the 1,000.

A tip of the hat to our friends at Georgia Tech, F-Secure, and Shadow Server, for reasons each will understand.

In what could be horrible news for certain domain name owners, five of the domains being automatically calculated on this list belong to actual domain owners. Apparently the malware's random domain calculator can randomly calculate some actual domains. Fortunately, of the domains thus affected only one is an actual company, (a German company, whose logs I would REALLY like to get my hands on!) while the other four seem to have been registered speculatively by domain investors. I've excluded all five from my results.

Thursday, January 08, 2009

Today the anti-Israeli hackers for the first time brought their Cyber Propaganda War to Washington DC in the form of their attack against the United States Army's Military District of Washington website, www.mdw.army.mil

The defaced website can still be seen via Google's cache:

What is MDW?

MDW encompasses Fort Myer, Fort McNair, Fort Belvoir, Fort A.P. Hill, Fort Meade, Fort Holabird, Fort Ritchie, 12th Aviation Battalion at Davison Army Airfield, and Arlington National Cemetery.Mission is to respond to crisis, disaster, or security requirements in the National Capital Region (NCR), provide base operations support for Army and DoD organizations throughout the NCR, conduct official ceremonies, locally and worldwide, on behalf on the nation's civilian and military leaders.

According to Zone-H, websites that were hit by the group included:

soa.mdw.army.milmdw.army.milmdwweb.mdw.army.mil

They also hit the Italian UNICEF website, and the website www.nato-pa.int, the NATO Parliamentary Assembly website in Brussels, Belgium.

In recent months the group also defaced websites belonging to anti-virus vendors Eset and Nod32, as well as Microsoft's websites in Canada, Ireland, and China; Mercedes Benz, Subaru, Mitsubishi, Fiat, Aston Martin, and Shell; Harvard University, Goodyear, the NBA, and other high profile targets.

Although the group is now calling themselves "Peace Crew", the same membership was calling itself "Terrorist Crew" as recently as December.

In addition to the army.mil sites above, Agd_Scorp also defaced the website www.jfhqncr.northcom.mil. On a Turkish language website, the attack is claimed to be an SQL Injection attack against an ASP page on a Microsoft IIS 6.0 webserver.

This is the "Joint Force Headquarters, National Capital Region, of the Northern Command. Prior to the website being taken offline as a result of the hacking, the page read like this:

On Sept. 11, 2001 no one believed the National Capital Region would be a target for those who wish to do us harm. As a nation, we found that to be false. In direct response to the events of that fateful day, JFHQ-NCR was established as the responsible headquarters for land-based homeland defense, defense support to civil authorities and incident management in the national capital region. We have unique skills and are prepared to defend people, territory, critical infrastructures and sovereignty in a supporting role to a lead federal agency.

On a 24/7 basis JFHQ-NCR monitors security requirements; coordinating with the military services, the Department of Homeland Security and local first responders in identifying capabilities the military can provide in case of an emergency or National Special Security Event (NSSE). Once an event is designated, the command becomes a Joint Task Force-National Capital Region (JTF-NCR). JTF-NCR then directs military assistance to federal and civil authorities in safeguarding the nation’s capital.

Beginning at 7:30 this morning, the UAB Spam Data Mine began receiving emails claiming to have news about the Gaza conflict from CNN News.

(A typical email)

Each of the many emails we've received points to a website that looks like this:

(click for larger image)

All of the links on the website are functional, and all really resolve to the real CNN website, with two exceptions. Attempting to play the video will result in the download of malware, and following the Adobe Player button will also result in the download of malware.

During the summer of 2008, one of the most successful spam campaigns of the year also imitated a CNN news story, leading to many home and business computers being infected by a virus.

At this time, many major anti-virus products still do not detect this malware as a virus. According to this Virus Total report only 11 of 38 anti-virus products will trigger on this file as containing a virus. (Follow the link to see if your product does or does not.)

The spam messages refer visitors to one of five different domains, each of which was registered at BizCN.com, a Chinese domain registrar who has been abused by this particular group for many months. Analysis of the malware confirms that this incident has nothing at all to do with the CyberWar being waged by pro- and anti-Israeli hackers. This is instead pure social engineering.

UAB Student and Malware Analyst, Brian Tanner, examined the Adobe_Player10.exe malware and identified that it causes your computer to download a second piece of malware from http://powerpekin.com/servicepack1.exe. That malware, which has the MD5 of 1f337515a3e96fd317dfb24e9fe67448, was only detected by 2 of 38 products at Virus Total. He then unpacked the servicepack1.exe malware and examined it to determine the stolen data was being sent to 91.211.65.30.

As with yesterday's ClassMates.com incident, the websites are being hosted via Fast Flux hosting, and the same fast flux hosts are being used for phishing as well, currently against MBNA bank and Sparkasse of Germany.

The false registration information provided on the domains claims that an imaginary employee of the BBC (Monnie Moulhem) residing in Spring Hill Florida registered the domains.

The computer which is being used as the "Nameserver" for these malware distribution domains resides at 74.63.217.81 -- which is the same computer which served as the nameserver for yesterday's Classmates.com malware.

While we know that many other subject lines will be used as the campaign progresses, some that we have seen so far include the subject lines:

Gaza emergency - UNICEFGaza Groups Report on WarGaza: Israeli War Crimes?In what became known as Israel's War of IndependenceIsrael Assaults Hamas in GazaIsrael At 'War to the Bitter End,' Strikes Key Hamas...Israel launches deadly Gaza attacksIsrael Puts War FootageIsrael warns Gaza of impending invasion - Israel-Palestinians ...Israel: Preparing for WarIsrael-Gaza conflict: Tens of thousands in London protest Gaza ...IsraelGaza Strip barrierIsraeli war strategy.IDF in urban combat.Israel's War CrimesIsraels War on Hamas:A Dozen ThoughtsNews from Israel,Ynetnews - Israel at WarNow Israel declares 'war to the bitter end' - Middle East, World ...Religious war in Gaza - Israel Opinion, YnetnewsThe 20072008 Israel-Gaza conflict refers to a series of battles between Palestinian militants

My students are back from the holidays, and I couldn't be happier! Tomorrow night I have 14 new graduate students who I'll be meeting in my Computer Security class where I teach at the University of Alabama at Birmingham. But this analysis was by one of my undergraduate research students who works on malware analysis for me.

Although the volume is greatly reduced from Christmas and New Years, we are continuing to see a regular flow of "eCards" into the UAB Spam Data Mine. Today's domain name of choice was "smartcardgreeting.com". The website hasn't changed since what I showed in the January 3rd post - Happy New Year! Here's a Virus! - but the malware is much less detectable.

How bad? Only ONE of thirty-nine products at VirusTotal.com was able to detect this malware as being a bad file:

The other malware he analyzed today was a fake ClassMates.com malware. ClassMates.com has been targeted on and off for most of the month of December with a spam message claiming to have a video for you to review. Of course the video doesn't actually play and instead prompts you to download a program which claims to be an AdobePlayer.

There were actually two separate groups of five domains involved in this attack.

The latter group was registered on TodayNic.com, and used the Nameserver NS1.NEWHOSTINGFORUS.COM.

Each of which had a page called "reunion2009.htm" which contained the fake video, and the malware downloader and looked like this:

All of the sites were registered with the Chinese domain registrar, BizCN.com, and each used the same nameserver, NS1.AVAILABLEREG.COM.

The first piece of malware, Adobe_Player10.exe, actually has a mediocre detection rate of 16 out of 39 VirusTotal detections. Unfortunately, the only function of this malware is to drop the REAL malware, which is being downloaded from the site:

shangaicons.com/22.exe

22.exe is "double-packed", where the hacker takes his virus, packs it with a packer to avoid undetection, and then takes the results and packs them with a different packer as well. It resulted in a very hard to detect piece of malware, as evidenced by the fact that only ONE of 39 anti-virus products were able to detect this as well:

My student malware analyst was able to successfully unpack the 22.exe malware, and found that it is a root-kitted keylogger, in the same family we've been seeing. It steals passwords from your computer as you type them, and sends them with patterns like this:

As we review some of the biggest "wins" against spammers, phishers and cyber criminals in 2008, everyone's list starts with Ralsky. On January 3, 2008, the forty page indictment against Alan Ralsky was unsealed. We reported on the indictment in our January 3, 2008 blog entry: Ralsky: Going Down.

But what happened since?

After acknowledging his indictment, on January 9, 2008, Ralsky was released on $50,000 bail.

A notice to appear was issued on January 29, 2008, asking Ralsky and friends to appear before the Honorable Marianne O Battani on March 17, 2008 for a Pretrial Scheduling Conference.

On March 17, 2008 that conference was rescheduled until June 17, 2008.

On June 17, 2008 that conference was rescheduled until October 21, 2008.

Wait! What about the "Speedy Trial Act"? Well . . . there were ELEVEN people indicted originally. As of June 17th, two of the eleven had not appeared before the court to be arraigned. (Peter Severa had not appeared, because he lives in Russia and was never arrested, and for almost exactly the opposite reason, Francis Tribble had not appeared because he was in jail in Los Angeles County and they hadn't transported him yet.) Because of this, the parties involved decided "the 70-daytime period under 18 U.S.C. § 3161(c)(1) has not yet commenced."

At the first conference, it was decided that the "lengthy electronic discovery" which had resulted in vast mountains of electronic evidence which had not yet been processed to the point of fully understanding what was at hand. At the second conference, it was "indicated that an additional 120 days would be needed to allow for the extraction and examination of the computer evidence by the defendants."

In other words, the defense was saying, because you have so much evidence against our client, we haven't had time to go through it all yet. (Which is either a stall tactic, or an indication of poor technology, which do you believe? I believe both are probably true.) Oh, and that means:

The parties do therefore agree and stipulate that the period of time from June 17, 2008 through October 28, 2008, shall be excluded from the time computation of the 70-day Speedy Trial period, due to the absence of defendant Tribble, and also due to the need for the parties to effectively manage the extensive electronic discovery presented in this unusual and complex case, because the ends of justice served in taking such action outweighs the best interest of the public and the defendants in a speedy trial, under 18 U.S.C. § 3161(h)(8)(B)(ii).

The following lawyers, all representing the spammers, signed off on that statement:

On August 12, 2008 there was a hearing regarding joint representation for Ralsky and Bown (it was denied).

On September 18, 2008 Ralsky's bond conditions were altered to allow him to travel anywhere in the United States as long as he provides prior notification to Pre-Trial Services and the US Attorney's Office.

The October 12, 2008 Pre-Trial conference got rescheduled to November 10, 2008.

At that time, they got down to business, and released the Order to Continue on November 19, 2008. Here's the new gameplan:

Feb 27, 2009: All Discovery must be completedMarch 31, 2009: All Pre-Trial Motions are dueApril 21, 2009: All Responses to Motions are dueMay 12, 2009: Motion Hearing scheduled for 2 PMMay 12, 2009: If no motions, pleas are due at this time

Sep 9, 2009: Jury Trial Begins

For some in the Anti-Spam Community, this seems like a LOOOOOONG time for Justice, especially given that Ralsky is traveling the US as a free man until then.

Saturday, January 03, 2009

I've been busy this week looking at the various defacements (see ComputerWorld, and ABC News) and other cyber attacks (see yesterday's blog) going on against Israel, so I hadn't had a chance to look at my New Years Cards yet!

Sadly, all of my New Years Cards were viruses (although I did get two real Christmas Cards by email.)

The most recent ones I looked at arrived this morning, pointing me to the websites:

bestyearcard.comyouryearcard.com

I decided to see what computers were currently hosting the website "youryearcard.com", because, sure enough, it was hosted with Fast Flux.

All of those sites seem to have been distributing malware pretending to be a card. They are all related to each other (based on the fact they resolve to the same hacked computers.)

The New Years site that we visited just now looks like this:

Although that looks like a website, it turns out the entire thing is a single file called "img.jpg". Clicking anywhere on the image causes the same result - you are prompted to download "postcard.exe".

postcard.exe is of course a virus. We submitted the virus to Virus Total, and got this Virus Total Analysis indicating that only 16 of 38 anti-virus products knew this was malware. Most of them called it either a version of "ElDorado", or gave it a new name of "Waledac", the latter being the name used by McAfee, Microsoft, and Symantec.

McAfee has a Nice Technical Report on what Waledac does, but basically it harvests all of the email addresses from your computer, sends them to one of many different machines, downloads some spam templates, and begins sending spam.

McAfee's report is from December 26th, and includes subject lines such as:

Merry Christmas greetings for youYou have received an EcardA Christmas card from a friendHappy Xmas !

The domain names listed in the McAfee report of December 26th are all still live and all still distributing the current version of the virus, which has been modified many times since that report to try to prevent detection. So, visting:

justchristmasgift.comoryourdecember.com

gives you the same virus that visiting the current New Years domains would give you.

I know you are probably getting tired of this advice, but it still applies:

DO NOT CLICK ON LINKS IN EMAIL MESSAGES!!!

My malware team is still enjoying their vacation. If this is still a threat on Monday, we'll dig deeper to determine if the malware performs other actions.

In the meantime, Happy New Year!

Gary WarnerDirector of ResearchUAB Computer ForensicsThe University of Alabama at Birmingham

Friday, January 02, 2009

After more than 10,000 websites being defaced in protest of Israeli actions in Gaza, Morrocco-based defacement team "Team Evil" has raced the cyber attack to a new level. By logging in the Internet registration services provider, Domain The Net Technologies, using the real credentials of the domain owner, the hackers were able to redirect traffic for several prominent Israeli websites, including that of YnetNews.com, a major Israeli English-speaking news website, and the website "www.israirairlines.com". This blogger also found evidence that the site "terrorism-info.org.il" was also rerouted to the same location. Terrorism-info is a site showing the "Operation Cast Lead" from the Israeli point of view.

Anyone entering the actual address of YnetNews during this time would not be sent to the real webserver, but instead be redirected by the fake DNS server to another server, displaying the hacker's message.

The website read:

Hacked by JURM-TEAM & CYBER-TERRORIST & TEAM-Evil

Lpooxd@gmail.com & Cyb3rt@hotmail.com

The Bitter Truth History repeats itself all the victims were said to words such as "terrorists" and the only reason for those words and that the overwhelming offender and murderer was a stronger force, but will not last, and the criminals will be rotting in hell and can not escape the punishment of God

Holocaust :Victims (the Palestinians) - the offender (the Zionists) # are still ongoing #Holocaust :Victims (the Iraqis) - the offender (U.S. military) # are still ongoing #

There are many images that continue to occur, but you learn from history?!* * *The only solution for peace for all peoples in Palestine, Jews and Muslims and Christians is the demise of the Zionist and that the treatment of malignant cancer tumor Look at the result of X-Ray for tumor, and they will learn that they do not want the peace, it is a dirty game of global..... Machine Closed............................................................................................................................................................................................................................................................

(Images are not included above. The images included covered bodies, a scene from Abu Grhaib prison, a protestor with a sign against Zionism, and a series of maps showing the loss of land by Palestinians)

During the attack, the YNetNews web address was being resolved by the nameserver "ns1.bestsecurity.jp". To its credit, YNetNews actually ran a story about the attack on its own website. Unfortunately both Lebanese and Israeli media sources have reported that the traffic was being rerouted to Japan. This is actually not correct. The IP address for ns1.bestsecurity.jp is 64.38.30.146, which is actually located on Fast Servers in Chicago, Illinois. The machine to which the traffic was being redirected, 64.38.30.147, was also at Fast Servers in Chicago, Illinois.

This is not the first time the YNetNews website has been hacked in response to Israeli actions. The website was also defaced back on July 5, 2008 by a hacker group calling itself "Jurm-Team". At that time the website showed a Syrian flag, and had a headline reading "Syria: End Israeli Aggression".

Although it has been speculated that the way such an attack would be performed is that the password used to login to the domain registration server would have been stolen. One common way to steal such information is to plant a trojan on a computer belonging to a target. The YNetNews story mentioned above actually interviewed Yoav Keren, CEO of DomainTheNet Technologies, who confirmed that Team Evil hackers had breached their server and was able to find the passwords used by various domain registration customers, allowing the hackers to then log in as the domain owner and re-route their DNS servers as described above. (The breach has since been closed).

Thursday, January 01, 2009

Happy New Year! As we get ready for the New Year, there are quite a few security folks making predictions for 2009. I think my friend Dan Clemens covered that pretty well in his PacketNinjas Yearly Security Predictions. I'm going to limit myself to saying the criminals will continue to innovate, data breaches will become even more commonplace, and corporate America will continue to TALK about security without making the necessary fundamental changes to actually BE secure.

I'd rather spend this morning looking back on 2008, and some of the highlights that we discovered at UAB Computer Forensics as I and my staff spent the year analyzing spam, phishing, and malware and sharing what we found with you.

Last year we shared 102 Blog entries with you. Rather than tell you what *I* thought was most interesting, I thought I'd share with you what *YOU* seemed to think was the most interesting, based on the visits to each blog entry.

We'll hit these Top Ten Style . . . which means we start with . . .

Number Ten

Internet Landfill McColo Corporation

Perhaps one of the top accomplishments by "the good guys" this year was the closing of McColo. This story coined the term "Internet Landfill" to describe those networks which exist only to host trash, filth, and crime on the Internet. Championing Journalist Brian Krebs lead the charge, and the Internet should send him a big Thank You. Perhaps more importantly than shutting down McColo, which resulted in a 2/3rds drop in Spam volumes world-wide, was the proof that we CAN do something about spam if we work together.

Number Nine

Demise of Index1.php PornTube Video malware

Number Eight

Enom Phishing Continues

Both Enom and Network Solutions, two major network domain registrars, had phishing campaigns against them back-to-back. We believe this lead to quite a few domain take overs later in the year, including financial services company Check Free. Using the stolen userids and passwords for the people who rightly control the domain name information, criminals logged in and redirected dozens of domains to a server they controlled.

Number Six

Anti-Virus Products Still Fail on Fresh Malware

Three examples in this blog showed that current anti-virus products fail miserably when detecting fresh spam. Some of our examples, "in the wild" as evidenced by us finding them in our spam, were detected by as few as 5 out of 36 anti-virus products tested.

Number Five

Governor Palin's Email Security Questions in the Facebook Age

When 20-year-old David Kernell broke into Governor Palin's Yahoo account by Googling up the answers to her security questions, we took a minute to point out how foolish this security practice is in this time when everyone's personal information is online.

Number Four

More than 1 Million Ways to Infect Your Computer

A criminal uses malware to load thousands of websites with search terms to Open Redirector on many websites, including Microsoft.com and IRS.gov. This results in many search terms showing up in Google with the number one hit being a redirector that will infect the visitor with a fake anti-virus.

Number Three

Storm Worm: Amero to replace Dollar?

Remember the Storm Worm? In July it pretended to be a warning that the US Dollar was being replaced by a gold coin. The continued popularity of this page actually has nothing to do with security. Rumor after rumor has circulated that the "Amero" proves that Bush was planning to merge Canadanian, US, and Mexican currencies, and desparate tinfoil hat types keep Googling up my page.

Number Two

Computer Virus Masquerades as Obama Speech

A criminal who has been stealing userids and passwords since May gained perhaps his biggest collection yet as he creating a fake Obama acceptance speech which was widely spammed the morning after the election. If anyone visited the website to view the video, they would be trojaned and begin sending all of their login data to a computer in the Ukraine. This same criminal did dozens of spam and social engineering campaigns this year, primarily pretending to be a new "Digital Certificate" for your bank.

Number One

MSNBC "Breaking News" replaces CNN Spam Wave

One of the tricks the spammer's used to get people to infect themselves was to promise to show them videos. We later found malware which actually searched real news sites to select headlines which were then stuffed into the spam messages to give the spam timely relevance to the spam readers. When the spam began imitating MSNBC's Breaking News alerts, even more people found themselves infected, causing their own computers to begin sending spam as well.

“It’s hard to know what you are actually going to get from a test in a laboratory against five computers when the capability you need has to function against five million computers,” he continues. “There’s nowhere to test that, so DARPA’s trying to put together a range with fidelity in many dimensions — such as the number and types of nodes and how they’re connected — so that you can accurately determine the effectiveness of some tool. The real trick will be how quickly you can upgrade the range to deal with changing threats.”

If you might be wondering, as I was, so "what will that really look like"? The media has been all over the place with this one. InfoWar Monitor calimed "The agency's National Cyber Range for cyberwar simulation would be similar to Star Trek's holodeck or a Snow Crash-style Metaverse". Noah Schiffman wrote in his Security Phreak blog that the project would cost "an estimated $30 billion", and got slash-dotted quite a bit calling the project "Doomed to Failure". (Interesting that one project could cost $30 billion, when their entire appropriation for FY09 was a little over THREE billion -- (see Department of Defense Appropriation FY09) -- "The fiscal year 2009 budget request for DARPA is $3,285,569,000, an increase of $326,493,000, more than 10 percent, over the fiscal year 2008".

I did a couple hundred pages of reading, so you, gentle reader, won't have to . . .

So how did this come about?

It started back in November 2007 with a call from DARPA's Michael VanPutte, who is the Program Manager of their Strategic Technology Office. They gave a two month comment period for people to describe what they thought a Cyber Range should do. (See: Request for Information on Cyber Network Range Capabilities (CNRC). Whatever responses they got were used to help decide what the requirement should be for a National Cyber Range, and the first pass of asking for proposals to build one was May 5, 2008. In that request, they asked for some quick responses (deadlined June 30, 2008) of people who might be able to build something like that. Theidea was that they would fund several competitive teams to see who could come up with something worthy of major long-term funding. A Proposers' Day Workshop was held on May 13-14, 2008 at the Hilton Washington Dulles, with a review of classified requirements the previous day at the Schafer Corporation for proposers.

Proposer's Day gave a 2.5 hour briefing on the Project, with proposers able to fill out Q&A cards, which were then addressed during the afternoon session.

The following day was for people who were looking for Team members to pitch what they had to offer and what they were looking for to build a successful proposal team.

The solicitation gave a number of objectives, including the ability to replicate and operate large-scale military and government network enclaves, commercial and tactical wireless and control systems, and a method of being able to rapidly prototype, deploy, monitor, and evaluate tests, new research protocols

The Solicitation boiled down to three phases:

Phase I - Design Objectives: Proposers had at most six months to develop a Preliminary Design Review which would prove that they had an Initial Conceptual Design which might be able to be developed into Detailed Engineering Plans and a workable Concepts of Operation. Proposers who passed Phase I would receive funding to move into Phase II.

Phase II - Prototype Objectives: Proposers now have to do a few things:

Demonstration, to include:- deploying two different host node recipes- creating new recipes- rapid testbed reconstruction- test management- time synch and auditing- data collection tools, including packet captures, event log captures, malware event collection, and automated attacks- a traffic generation system including incoming and outgoing email, automated port scanning, automated attacks, and simulated HTTP and other traffic- human "replicants" who simulate the use of software products, browsers, media players and email clients- replicated inter-enclave communication channels- aggregating all sub-nodes into one large test bed- dynamically freeing resources from one test and reassigning them to another

When its All Done, what will it be able to do?

Phase III: National Cyber Range Objectives:

One of the Phase II Demonstrators would be picked to fully deploy the National Cyber Range to meet the following objectives:

Network Technologies and Support - (make the network look like any network)

Protocols and Services - (allow the network to run any protocols)

Scalability - be able to deploy everything from single devices to tests incorporating several thousand nodes.

TASK 2 - RANGE MANAGEMENT

- Provide automated pre-test planning support- Enable automated resource allocation based on needs and priorities- Support both short (1 week) and long (6 month) research programs- Provide a means to rapidly and securely de-obligate test resources after tests- Enable free resources to be pooled and allocated to low priority, non-interactive, batch tests- Provide a knowledge management suite for lessons learned (both within and across tests)- Provide a means to incorporate additional technologies

TASK 3 - TEST MANAGEMENT

Facilitate the Test Director's activities by providing a palette of resources available, as well as products to assist in pre-test planning, test execution, data collection, post test analysis and closeout support.

TASK 4 - TRANSPARENCY

Tests must be monitored for both quantitative and qualitative assessment, including instrumented monitoring and observer/controller evaluation and analysis

TASK 5 - QUALIFIED, ON-SITE SUPPORT TEAM

Provide a number of highly skilled, experienced network engineers, system administrators and domain administrators, with rapid response time and trouble ticketing system to track assistance requests.

TASK 6 - HUMAN INTERACTION AND REPLICATION

Allow players OR Automation, to fulfill the roles of:- Oppositional Forces (OpFor), including both sophisticated cyber activity, defensive computing to protect national assets, and computer network attack, with facilities that can be controlled by OpFor isolated from Test Director's team.- Team Integration- Traffic Generators- Human Actor Replicants and Program Activators (Host-based)